summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/rpc_server/srv_pipe.c12
1 files changed, 12 insertions, 0 deletions
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index 3b015f9e0f..8bb7a231d5 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -1765,6 +1765,18 @@ static NTSTATUS dcerpc_check_auth(struct pipe_auth_data *auth,
return NT_STATUS_INVALID_PARAMETER;
}
+ /* Paranioa checks for auth_length. */
+ if (pkt->auth_length > pkt->frag_length) {
+ return NT_STATUS_INFO_LENGTH_MISMATCH;
+ }
+ if ((pkt->auth_length
+ + DCERPC_AUTH_TRAILER_LENGTH < pkt->auth_length) ||
+ (pkt->auth_length
+ + DCERPC_AUTH_TRAILER_LENGTH < DCERPC_AUTH_TRAILER_LENGTH)) {
+ /* Integer wrap attempt. */
+ return NT_STATUS_INFO_LENGTH_MISMATCH;
+ }
+
status = dcerpc_pull_auth_trailer(pkt, pkt, pkt_trailer,
&auth_info, &auth_length, false);
if (!NT_STATUS_IS_OK(status)) {